django SECRET_KEY is reused

[luto]

As far as I can tell, the secret key for the prebuilt image is generated exactly once during pip install (via the calls to call_command, which load the settings, which generate a key, if there is none. The README of this repo tells users to follow the configuration guide, which explicitly marks SECRET_KEY as optional.

When using the prebuild image without a SECRET_KEY set in the config, pretalx will run with the SECRET_KEY baked into the image as ./pretalx/src/data/.secret. This key is shared across all pretalxes run this way and public. Since it's not supposed to be public this is probably a bad idea :sweat_smile:

I am not sure how to resolve this, though. As an immediate work-around maybe remove the .secret-file during build, after the last python3 command? This makes pretalx generate a new key on each container start. A long-term solution would be to enforce a SECRET_KEY in the config in docker setups.

[rixx]

I'm all in favor of removing the .secret file during build – @maxrink, what do you think?

[raphaelm]

Have you tested if this actually happens? As I see it, yes, ./pretalx/src/data/.secret is baked into the image (and we should still fix that), but never gets read in production, because in production, DATA_DIR is set to /data by default, where one usually mounts a volume. This way, in production, a new .secret will be created in that volume and used.

[MaxRink]

I agree on @raphaelm s point. It should never get used in a production setup. However, adding an line like RUN rm -f /pretalx/src/data/.secret to the Dockerfile would not hurt anything.

[rixx]

Thank you, all of you.

[luto]

ooooh, well. :man_facepalming: